MAC Filtering

MAC Filtering

[Gopal Chandavarapu]

Hi All,

A specific hardware and its cross compiler need 2.4.14 version of the 
linux kernel. I have to do MAC filtering for these devices, so I found that

http://ebtables.sourceforge.net/documentation.html#whatdo

  does MAC filtering. -----------   Good till now.



Problem : The problem is ebtables works only with linux kernel 2.4.22/23 
and version 2.6.x

Question 1: Is there any other module like ebtables which does MAC 
filtering and works with 2.4.14 kernel.


Question 2: The MAC filter module should be capable of filtering the 
packets at run time.
That means that the filter should be able to ACCEPT all packets from MAC 
address A for some time and upon users request at run time, it should be 
able to take a new MAC address B and ACCEPT only from B and DROP/ACCEPT 
packets from A.

Please let me know.

Thanks
Gopal.

MAC Filtering

[Gopal Chandavarapu]

Hi All,

A specific hardware and its cross compiler need 2.4.14 version of the 
linux kernel. I have to do MAC filtering for these devices, so I found that

http://ebtables.sourceforge.net/documentation.html#whatdo

  does MAC filtering. -----------   Good till now.



Problem : The problem is ebtables works only with linux kernel 2.4.22/23 
and version 2.6.x

Question 1: Is there any other module like ebtables which does MAC 
filtering and works with 2.4.14 kernel.


Question 2: The MAC filter module should be capable of filtering the 
packets at run time.
That means that the filter should be able to ACCEPT all packets from MAC 
address A for some time and upon users request at run time, it should be 
able to take a new MAC address B and ACCEPT only from B and DROP/ACCEPT 
packets from A.

Please let me know.

Thanks
Gopal.

Re: MAC Filtering

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 991 bytes --]

On Wed, Jan 14, 2004 at 03:52:10PM -0800, Gopal Chandavarapu wrote:
> Hi All,
> 
> A specific hardware and its cross compiler need 2.4.14 version of the 
> linux kernel. I have to do MAC filtering for these devices, so I found that
> 
> http://ebtables.sourceforge.net/documentation.html#whatdo
> 
>  does MAC filtering. -----------   Good till now.
> 
> 
> 
> Problem : The problem is ebtables works only with linux kernel 2.4.22/23 
> and version 2.6.x

This is the netfilter/iptables mailinglist.  Please ask questions
related to ebtables on the linux bridging mailinglist.


> Thanks
> Gopal.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

MAC Filtering

[Erwin Van de Velde]

Hi,

I'm designing software for a testlab for testing mobility protocols. I use 
wireless-over-wired links and link down events should be simulated by a 
blocking firewall on both ends. The nodes only have the source and 
destination MAC addresses for each link (it is possible that multiple 
interfaces have the same IP address and that different 'wireless' interfaces 
have different transmit ranges). 
Is it possible to filter on both the source and destination MAC address? I 
only found the option with source MAC address...
Ebtables is not an option as bridges are needed there.

If not possible with the normal netfilter, is there a patch that can do it? Is 
it even possible to do such a thing?

Thanks in adv,

Erwin Van de Velde
University of Antwerp
Belgium

Re: MAC Filtering

[Erwin Van de Velde]

Hi,

I don't want to bridge, I only said I have to when using ebtables. I need MAC 
filtering without bridging... I'm fully aware of the fact that iptables works 
on layer 3 and that MAC is layer 2, however if it can filter on source MAC 
addresses, why can't it filter on destination MAC addresses?

Best regards,
Erwin


> If you bridge, you cannot use iptables. Ip tables operates on layer 3
> (routed) and the destination MAC is always the MAC of the firewall.
> Ebtables operates on layer 2 (switched) and can filter traffic based on
> source and destination MAC address.
>
> So I think ebtables is exactly what you need.
>
> HTH,
> Martijn Lievaart

Re: MAC Filtering

[Patrick Schaaf]

> if it can filter on source MAC addresses, why can't it filter on destination
> MAC addresses?

Destination MAC addresses are potentially unknown until after an ARP reply
has been received. All iptables processing has already been done before
an ARP request is even sent...

best regards
  Patrick

Re: MAC Filtering

[Bart De Schuymer]

Op wo, 05-01-2005 te 17:12 +0100, schreef Erwin Van de Velde:
> Hi,
> 
> I don't want to bridge, I only said I have to when using ebtables. I need MAC 
> filtering without bridging... I'm fully aware of the fact that iptables works 
> on layer 3 and that MAC is layer 2, however if it can filter on source MAC 
> addresses, why can't it filter on destination MAC addresses?

You can use ebtables without using a bridge as follows:

brctl addbr br0
brctl addif br0 eth0
ifconfig eth0 0.0.0.0
ifconfig br0 $IP_OF_ETH0_SIDE
brctl addbr br1
brctl addif br1 eth1
ifconfig eth1 0.0.0.0
ifconfig br1 $IP_OF_ETH1_SIDE

Change your routing table as needed. Your router thus uses brx instead
of ethx to transmit and receive packets. ebtables will see the packets,
so you can do
ebtables -A OUTPUT -d $A_MAC_ADDRESS -j <target>

If you only need to check the destination address in one direction, f.e.
traffic leaving on eth0, you only need one bridge (in this case only
br0), with the proper routing table.

The downside is that your performance will downgrade substantially,
because all traffic will be queued twice.

cheers,
Bart

MAC Filtering

[Claude Biron]

I hope you don't mind asking you a question re: ebtables.   I'm looking to
use ebtables to do MAC filtering in a wireless router in AP mode (default).

The object is to do the following:

 

1.	on router startup, prevent all but the host PC from connecting.
2.	allow a specified MAC to make a connection.
3.	drop/block the MAC at some point in time.  Their current connection
is dropped.

 

The following ebtables commands do not work.  Is there a simple solution?
Many thanks in advance!   Using the linkyss WRT54GS router with SVEASOFT.

 

1.  (on startup block all MACs except one)

ebtables -N check_mac

ebtables -A check_mac -s 00:11:11:B6:A9:21 -j ACCEPT

ebtables -t filter -F INPUT

ebtables -t filter -F FORWARD

ebtables -P INPUT DROP

ebtables -P FORWARD DROP

ebtables -A INPUT --logical-in br0 -j check_mac

ebtables -A FORWARD --logical-in br0 -j check_mac

 

2. (allow a MAC access)

ebtables -A check_mac -s xx:xx:xx:xx:xx:xx -j ACCEPT

 

3. (drop or prevent access)

ebtables -D check_mac -s xx:xx:xx:xx:xx:xx -j ACCEPT


 

 

 

Re: MAC Filtering

[Charlie Brady]

On Tue, 14 Jun 2005, Claude Biron wrote:

> I hope you don't mind asking you a question re: ebtables.

This is the wrong list for two reasons:

- this is netfilter, not ebtables
- this list concerns ongoing development of netfilter, not usage.

Please see:

http://ebtables.sourceforge.net/contact.html#lists

> The following ebtables commands do not work.  Is there a simple solution?
> Many thanks in advance!   Using the linkyss WRT54GS router with SVEASOFT.

Since you've paid for that software you should ask for support from your 
supplier. Your supplier, BTW, is using software freely shared with him by 
others, but is actively suppressing any efforts for his "work" to be 
shared around.

---
Charlie

MAC filtering

[varun_saa]

Hello,
      To allow a particular MAC, I plan use the rule 
as sugested in my previous post :

iptables -A FORWARD -m mac --mac-source ff:ff:ff:ff:ff:ff -j ACCEPT.

Now how do you block all other MAC addresses in the first place.
How to write a rule for that ?

Thanks

Varun

Re: MAC filtering

[Gustavo Castro Puig]

Varun:

  I suggest you to check a project called "ebtables". May be of interest
to you: http://ebtables.sourceforge.net/
  Anyway, I think you can do this to disable all other MAC addresses:

  iptables -A FORWARD -m mac --mac-source ff:ff:ff:ff:ff:ff -j ACCEPT
  iptables -A FORWARD -m mac --mac-source ! ff:ff:ff:ff:ff:ff -j DROP

  But if you want to allow more MAC, then you may need to write a custom
chain and pass all that MAC into it.
  I hope this help you.

> Hello,
>       To allow a particular MAC, I plan use the rule
> as sugested in my previous post :
>
> iptables -A FORWARD -m mac --mac-source ff:ff:ff:ff:ff:ff -j ACCEPT.
>
> Now how do you block all other MAC addresses in the first place.
> How to write a rule for that ?
>
> Thanks
>
> Varun
>
>
>

Saludos,
     Gustavo Castro Puig.
     E-Mail: gcastro@gcp.com.uy

LPI Level-1 Certified (https://www.lpi.org/es/verify.html
LPID:LPI000042304 Verification Code: hp6re8w5qg )
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM/IT/ED dx s-:- a? C(+++)$ UL++++*$ P+ L++++(++)$ E--- W+++$ N+ o?
K- w O M V-- PS PE++(-) Y-(+) PGP+ t(++) 5+ X++ R tv+ b++(++++) DI+++
D++ G++ e++ h--- r y+++
------END GEEK CODE BLOCK------
Registered Linux User #69342

Re: MAC filtering

[/dev/rob0]

On Wednesday 29 June 2005 06:56, varun_saa@vsnl.net wrote:
>       To allow a particular MAC, I plan use the rule
> as sugested in my previous post :
>
> iptables -A FORWARD -m mac --mac-source ff:ff:ff:ff:ff:ff -j ACCEPT.
>
> Now how do you block all other MAC addresses in the first place.
> How to write a rule for that ?

iptables -A FORWARD -j DROP
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

mac filtering

[ratheesh k]

I have a client machine (say A ) connectected to a linux router . I
can browse internet without any problem .

In router , i can configure  MAC address filters . If i configure A's
mac address should be disabled , A cannot access Router itself ? .

Question : What exactly mac address filter mean ?  disabling router
access or disabling internet access ?


Thanks,
Ratheesh

Re: mac filtering

[Marek Kierdelewicz]

Hi,

> 
>I have a client machine (say A ) connectected to a linux router . I
>can browse internet without any problem .
>In router , i can configure  MAC address filters . If i configure A's
>mac address should be disabled , A cannot access Router itself ? .
>Question : What exactly mac address filter mean ?  disabling router
>access or disabling internet access ?

If you add following rule you'll block access to internet, not to
router:
iptables -A FORWARD -j DROP -m mac --mac --mac-source xx:xx:xx:xx:xx:xx

This rule will block access to the router without affecting access to
internet:
iptables -A INPUT -j DROP -m mac --mac --mac-source xx:xx:xx:xx:xx:xx

You can find nice diagram representing packet flow in netfilter here
(focus on green background if you're only routing, not bridgeing):
http://www.imagestream.com/~josh/PacketFlow.gif

Best regards,
Marek

Re: mac filtering

[Lars Nooden]

On 04/21/2010 06:55 AM, ratheesh k wrote:
> Question : What exactly mac address filter mean ?  disabling router
> access or disabling internet access ?

The rule acts on what the user or that user's system has chosen at that 
particular moment to use as its chosen string to identify the network 
interface when contacting the router.

That kind of filtering is of very limited use in most activities.

/Lars